22,000 victims of 2020 Finnish psychotherapy data breach have filed reports of data misuse

Finnish media has reported new developments in the data breach investigation of the Vastaamo psychotherapy practice.

In October 2020, the psychotherapy center, which operated in nearly a dozen Finnish cities, started delivering notice that a cyberattack exposed sensitive data of up to 40,000 of its customers – including notes from private therapy sessions.

The latest investigation into the attack, which began in November 2018, has revealed that around 22,000 customers filed reports with local police after their personal data was misused.

Only 10 to 15 victims have confirmed paying ransom to extortionists, and police even suspect a few cases of identity theft.

Nearly two years after the breach, police believe the attack was conducted by an external threat actor, but they don’t exclude the participation of domestic and even Vastaamo employees.

"We have made progress with it and we are still working on it," said head investigator Marko Leponen. "The fact that the line of investigation leads abroad does not in any way exclude the possibility of a Finnish perpetrator. Time will tell if there will be a domestic, foreign or a combination of both."

National police are also investigating the possibility that Vastaamo employees played a role in leaking client data, and their reports will be transferred to prosecutors by October.

Internal sabotage was not confirmed, but investigators suspect that some employees (less than five) may have violated privacy protection laws.

"The police's suspicion at this stage is between intent and gross negligence,” Leponen added. “It's the prosecutor's job to see if it ultimately also corresponds to his point of view.”

Personally identifiable information and sensitive consumer data can be highly profitable for cyber thieves. In the case of Vastaamo patients, blackmailers have apparently had a field day capitalizing on victims. This unfortunate incident stands as a reminder that we should never assume that our online presence or information will never be discovered.

If you want to stop guessing what the internet knows about you and stay on top of data breaches, check out Bitdefender’s Digital Identity Protection tool. Our privacy-oriented service maps out your digital footprint and monitors if your accounts are exposed and alerts you whenever your personal information and identity are at risk.

For more privacy and identity theft solutions, visit https://www.bitdefender.com/solutions/